Skip to main content

Server Security Requirements and References

The following recommendations are meant as a guide to secure servers (a server being either a physical or virtual instance of an autonomous software system intended to connect with and provide services to other computers). Each and every recommendation will not be applicable to every server; therefore the system administrator should exercise their own judgment in conjunction with their department's own requirements and business needs. Deviations from the recommended guidelines should be documented according to each department's own procedures. The end goal is a secure server that meets the functional and business needs of each department.

Note that if a department is required to comply with PCI (Payment Card Industry) regulations, the specific recommendation has been labeled with "PCI/DSS" so that it may be employed. These are requirements for PCI certification, and therefore not recommendations, if you are subject to the PCI requirements. Also, the sections "Installation" and "Configuration" refer to those recommendations aimed at system administrators. The "Hosting" section is specific to data centers or those hosting a server and "Ongoing" is meant to apply to those individuals/departments maintaining servers.

Specific sections for the most common operating systems at Northwestern have been included (Windows, RedHat Linux, OS X and Solaris). Other operating systems (ie Debian, OpenBSD, etc) are addressed by the more general recommendations that would apply to the respective operating system regardless and further augmented by the hardening guidelines from CIS (Center for Internet Security).

Audience:

Department and group information technology support and information technology security staff.

Policy Statement:

Windows Server Security Recommendations

Installation

Number Recommendation/Description References
1 Disable system restore (if applicable to the version of Windows)
2 Systems (servers) with a NetID password feed may not be used for multiple purposes. Exceptions require approval of Northwestern IT-ISS/C.
3 (PCI/DSS) Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)* 15, * Note that running DNS on a Domain Controller is allowable per this PCI requirement

Configuration

Number Recommendation/Description References
1 Remove, disable or change password of default accounts 1, 2, 3, 4
2 Guest accounts disabled 1, 2, 3
3 All local and domain accounts with privileges above normal user level should have a minimum 15 character passphrase and must be changed at least once every quarter. To facilitate remembering such a password, wallet-sized cards may be created and carried by system administrators for reference. 1, 2, 3, 4
4 Audit the use of all privileged accounts. This auditing should include the read and write access performed by these accounts. 1, 2, 3, 4
5 Machines may not be connected to the network until they have had the latest OS and application updates applied, anti-viral software installed and activated, firewall enabled, AND a strong passphrase enabled on all accounts. 1, 2, 3, 4, 8, 11
6 OS that is not older than one minor release, or service pack, from the current release, if business needs allow for it. 1, 2, 3, 4, 8
7 Software and OS patches installed as soon as practical for your environment. 1, 2, 3, 4
8 (PCI/DSS) Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release. 15
9 (PCI/DSS) Deploy anti-virus software on all systems commonly affected by viruses, ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware. 15
10 (PCI/DSS) Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. 15
11 Hosts should either automatically disable local accounts or attacking hosts for a period of not less than two minutes after 15 authentication failures in a rolling five minute window. 1, 2, 3, 4
12 Unused services should be disabled 1, 2, 3, 4, 8, 11
13 Remove LM Hash 6
14 Clock must be automatically synchronized to a recognized time server (time.northwestern.edu). 1, 2, 3, 12
15 Departments must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. 19
16 Departments must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations. 19
17 Departments must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures. 19

Networking

Number Recommendation/Description References
1 Appliance based firewall required. If a host based firewall option is available, consider using it in addition to the appliance. 13
2 (PCI/DSS) Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. 15
3 (PCI/DSS) Prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). 15
4 No open, non-authenticated, file sharing may be enabled. 5
5 (PCI/DSS) Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access.   15
6 Remote access software must be disabled or restricted to specific IP addresses by default. It can be temporarily enabled on a case by case basis by authorized personnel. Only software that supports end to end encryption should be used for this purpose.

Hosting

Number Recommendation/Description References
1 Port Reporter or similar system installed and active. 7
2 Encrypted backups should be taken regularly, and all on/off site storage should be physically secure.
3 (PCI/DSS) – Clocks must be synchronized to two (2) internally hosted time servers (time.northwestern.edu) * 15, * Note: As of 5/15/08, NU only has one recognized internal time server (time.northwestern.edu)
4 Housed at University data center or similar setup.

Ongoing

Number Recommendation/Description References
1 Mandatory audit log monitoring program or procedure by personnel of the department owning the logs or an approved subcontractor/vendor. 4
2 (PCI/DSS) Logs must be reviewed, or aggregated and then reviewed, daily. 15
3 (PCI/DSS) Logs must be available online (electronically) for three months, available on tape (or other removable media) for one year. 15,
4 (PCI/DSS) Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release. 15
5 (PCI/DSS) Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update standards to address new vulnerability issues. 15
6 Encrypt sensitive data (Recommendations currently in development). 14
7 Defined process for approval, acceptable use, and removal of system privileges.
8 (PCI/DSS) Follow change control procedures for all system and software configuration changes. 15
9 (PCI/DSS) Identify all users with a unique user name with at least one authentication method (passphrase, token device and/or biometrics). 15
10 (PCI/DSS) Immediately revoke access for any terminated users. 15
11 Remove inactive user accounts at least every 90 days. 15
12 (PCI/DSS) Set first-time passwords to a unique value for each user and change immediately after the first use 15

UNIX/Linux Server Security Recommendations

UNIX: Minimum Hardening Steps

There are various flavors of Unix/Linux in use at Northwestern. The predominant flavors, RedHat and OS/X are addressed below. In depth hardening guidelines may be downloaded at http://www.cisecurity.org, which includes hardening guides for such operating systems as FreeBSD, Debian, SUSE, Slackware, AIX and HP-UX. This site also has documentation for older versions of supported operating systems.

Installation

Number Recommendation/Description References
1 Apply latest OS patches, install TCP Wrappers and SSH (if not installed by default, such as on Solaris 10). 18
2 Systems (servers) with a NetID password feed may not be used for multiple purposes. Exceptions require approval of Northwestern IT-ISS/C.
3 (PCI/DSS) Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)* 15, * Note that running DNS on a Domain Controller is allowable per this PCI recommendation

Configuration

Number Recommendation/Description References
1 Remove, disable or change password of default accounts. 1, 2, 3, 4
2 Minimize inetd network services (time, echo, discard, daytime chargen, fs, dtspc, exec, comsat, talk, finger, uucp, name xaudio, netstat, ufsd, rexd, systat, sun-dr, uuidgen, krb5_prop) 18
3 Do not enable the following services unless absolutely necessary (telnet, FTP, rlogin, TFTP, LPD, rquotd, CDE, Volume Manager, removable median daemon, Kerberos, GSS deamon) 18
4 Minimize boot services via the following recommendations:
  • Disable login: prompts on serial ports
  • Set daemon umask
  • Disable inetd if possible, if not remove unnecessary services as noted above
  • Disable email server, if possible
  • Disable boot services if possible
18
5 Kernel Tuning Modifications
  • Disable or restrict core dumps to protected directory
  • Enable stack protection
  • Restrict NFS client requests to privileged ports
  • Use better TCP sequence numbers
6 Logging
  • Turn on inetd tracing
  • Capture messages sent to syslog AUTH facility
  • Create /var/adm/loginlog
  • Turn on cron logging
  • Enable system accounting
  • Enable kernel-level auditing (BSM) if performance is not an issue
  • Confirm permissions on system log files
18
7 File, Directory Permissions and Access
  • Add 'logging' option to root file system
  • Add 'nosuid' option to /etc/rmmount.conf
  • World-writable directories should have their sticky bit set
  • Find unauthorized world-writable files
  • Find unauthorized SUID/SGID system executables
  • Find "Unowned" Files and Directories
  • Run fix-modes utility
18
8 System Access, Authentication, and Authorization
  • Disable "nobody" access for secure RPC
  • Prevent Syslog from accepting messages from the network
  • Disable the XDMCP port
  • Prevent X from listening on port 6000/TCP
  • Set screensaver timeout
  • Restrict at and cron to authorized users
  • Remove empty crontab files and restrict file permissions
  • Restrict root logins to the system console
  • Limit the number of failed login attempts
  • Set EEPROM security-mode and log failed access attempts
18
9 User Accounts and Environment
  • Block the system accounts (ie nobody)
  • Verify that there are no accounts with empty password fields in /etc/shadow
  • Set account expiration parameters
  • Verify no legacy '+' entries exist in passwd, shadow, and group files
  • Verify that no UID 0 accounts other than root exist
  • No '.' or group/world-writable directory in root’s path
  • No user dot files should be group/world writable (mode 744)
  • Remove user .netrc files
  • Set the default umask for all users
  • Set "mesg n" as default for all users
18
10 Warning Banners
  • Create warnings for physical access services (console), GUI logins and any remote access services that were enabled (ie Telnet, FTP, SSH, etc).
18
11 (PCI/DSS) Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release. 15
12 (PCI/DSS) Deploy anti-virus software on all systems commonly affected by viruses, ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware. 15
13 (PCI/DSS) Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. 15
14 Clock must be automatically synchronized to a recognized time server (time.northwestern.edu). 1, 2, 3, 12
15 Departments must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. 19
16 Departments must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations. 19
17 Departments must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures. 19

Networking

Number Recommendation/Description References
1 Appliance based firewall required. If a host based firewall option is available, consider using it in addition to the appliance. 13
2 (PCI/DSS) Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. 15
3 (PCI/DSS) Prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). 15
4 No open, non-authenticated, share/mounts may be enabled. 5, 18
5 (PCI/DSS) Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access. 15
6 Remote access software (SSH) must be disabled or restricted to specific IP addresses/subnets by default. It can be temporarily enabled on a case by case basis by authorized personnel. Only software that supports end to end encryption should be used for this purpose. 18

Hosting

Number Recommendation/Description References
1 Encrypted backups should be taken regularly, and all on/off site storage should be physically secure.
2 (PCI/DSS) – Clocks must be synchronized to two (2) internally hosted time servers (time.northwestern.edu). * 15, *Note: As of 5/15/08, NU only has one recognized internal time server (time.northwestern.edu)
3 Housed at University data center or similar setup.

Ongoing

Number Recommendation/Description References
1 Mandatory audit log monitoring program or procedure by personnel of the department owning the logs or an approved subcontractor/vendor. 4
2 (PCI/DSS) Logs must be reviewed, or aggregated and then reviewed, daily. 15
3 (PCI/DSS) Logs must be available online (electronically) for three months, available on tape (or other removable media) for one year. 15
4 (PCI/DSS) Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release. 15
5 (PCI/DSS) Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update standards to address new vulnerability issues. 15
6 Encrypt sensitive data (Recommendations currently in development). 14
7 Defined process for approval, acceptable use, and removal of system privileges
8 (PCI/DSS) Follow change control procedures for all system and software configuration changes. 15
9 (PCI/DSS) Identify all users with a unique user name with at least one authentication method (passphrase, token device and/or biometrics). 15
10 (PCI/DSS) Immediately revoke access for any terminated users. 15
11 Remove inactive user accounts at least every 90 days. 15
12 (PCI/DSS) Set first-time passwords to a unique value for each user and change immediately after the first use. 15

RedHat Linux Server Security Recommendations

Installation

Number Recommendation/Description References
1 Apply latest OS patches. 18
2 Systems (servers) with a NetID password feed may not be used for multiple purposes. Exceptions require approval of Northwestern IT-ISS/C.
3 (PCI/DSS) Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers). 15

Configuration

Number Recommendation/Description References
1 Remove, disable or change password of default accounts (including “nobody”). 1, 2, 3, 4, 18
2 Configure System Accounting. 18
3 Disable unnecessary services in inetd and discontinue use of xinetd. 18
4 Configure TCP Wrappers and firewall to limit unnecessary access. 18
5 Do not enable the following services unless absolutely necessary (telnet, FTP, rlogin, TFTP, LPR, dovcot). 18
6 Minimize boot services (see CIS Security guide for details). 18
7 Set the daemon Umask to at least 027. 18
8 Configure sendmail to only listen on the localhost. 18
9 Disable GUI logins and X, if possible. 18
10 Do not enable SMB, LPD, NFS, NIS, RPC, SNMP, DNS, or HTTP/HTTPS services unless necessary. 18
11 Tune the kernel parameters as described in the CIS benchmark guide. 18
12 Log syslog authpriv facility messages, configure system log file permission as described in the CIS benchmark guide and log syslog messages to a central log server. 18
13 Disable user-mountable removable media. 18
14 Verify file permissions on password files (passwd and shadow). 18
15 Set the sticky bit on world writeable directories. 18
16 Verify that there are no accounts with empty password fields in /etc/shadow and verify no legacy '+' entries exist in passwd, shadow, and group files. 18
17 Set account expiration parameters. 18
18 Verify that no UID 0 accounts other than root exist. 18
19 No '.' or group/world-writable directory in root’s path. 18
20 No user dot files should be group/world writable (mode 744). 18
21 Remove user .netrc files. 18
22 Set the default umask for all users. 18
23 Disable USB services. 18
24 Use PAM to enforce a strong password policy and disable .rhost support in PAM config files 18
25 Restrict at and cron to authorized users 18
26 Create warnings for physical access services (console), GUI logins and any remote access services that were enabled (ie Telnet, FTP, SSH, etc). 18
27 Remove compilers and make service if not necessary. 18
28 (PCI/DSS) Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release. 15
29 (PCI/DSS) Deploy anti-virus software on all systems commonly affected by viruses, ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware. 15
30 (PCI/DSS) Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. 15
31 Clock must be automatically synchronized to a recognized time server (time.northwestern.edu) 1, 2, 3, 12
32 Departments must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. 19
33 Departments must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations. 19
34 Departments must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures. 19

Networking

Number Recommendation/Description References
1 Appliance based firewall required. If a host based firewall option is available, consider using it in addition to the appliance(PCI/DSS) Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. 13
2 (PCI/DSS) Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. 15
3 (PCI/DSS) Prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). 15
4 No open, non-authenticated, NFS mounts may be enabled. 5, 18
5 (PCI/DSS) Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access.   15
6 Remote access software (SSH) must be disabled or restricted to specific IP addresses/subnets by default. It can be temporarily enabled on a case by case basis by authorized personnel. Only software that supports end to end encryption should be used for this purpose. 18

Hosting

Number Recommendation/Description References
1 Encrypted backups should be taken regularly, and all on/off site storage should be physically secure.
2 (PCI/DSS) – Clocks must be synchronized to two (2) internally hosted time servers (time.northwestern.edu). 15, *Note: As of 5/15/08, NU only has one recognized internal time server (time.northwestern.edu)
3 Housed at University data center or similar setup.

Ongoing

Number Recommendation/Description References
1 Mandatory audit log monitoring program or procedure by personnel of the department owning the logs or an approved subcontractor/vendor. 4
2 (PCI/DSS) Logs must be reviewed, or aggregated and then reviewed, daily. 15
3 (PCI/DSS) Logs must be available online (electronically) for three months, available on tape (or other removable media) for one year. 15
4 (PCI/DSS) Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release. 15
5 (PCI/DSS) Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update standards to address new vulnerability issues. 15
6 Encrypt sensitive data (Recommendations currently in development). 14
7 Defined process for approval, acceptable use, and removal of system privileges.
8 (PCI/DSS) Follow change control procedures for all system and software configuration changes. 15
9 (PCI/DSS) Identify all users with a unique user name with at least one authentication method (passphrase, token device and/or biometrics). 15
10 (PCI/DSS) Immediately revoke access for any terminated users. 15
11 Remove inactive user accounts at least every 90 days. 15
12 (PCI/DSS) Set first-time passwords to a unique value for each user and change immediately after the first use. 15

OS X Server Security Recommendations


Installation

Number Recommendation/Description References
1 Apply latest OS patches. 18
2 Systems (servers) with a NetID password feed may not be used for multiple purposes. Exceptions require approval of Northwestern IT-ISS/C.
3 (PCI/DSS) Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers). 15

Configuration

Number Recommendation/Description References
1 Remove, disable or change password of default accounts. 1, 2, 3, 4
2 Configure System Accounting. 16, 17, 18
3 Disable unnecessary services in inetd and discontinue use of xinetd. 16, 17, 18
4 Configure TCP Wrappers and firewall to limit unnecessary access. 16, 17, 18
5 Do not enable the following services unless absolutely necessary (telnet, FTP, rlogin, TFTP, LPR, dovcot). 16, 17, 18
6 Minimize boot services (see CIS Security guide for details). 16, 17, 18
7 Set the daemon Umask to at least 027. 18
8 Configure sendmail to only listen on the localhost.
9 Disable GUI logins and X, if possible. 18
10 Do not enable SMB, LPD, NFS, NIS, RPC, SNMP, DNS, or HTTP/HTTPS services unless necessary. 18
11 Tune the kernel parameters as described in the CIS benchmark guide. 16, 17, 18
12 Log syslog authpriv facility messages, configure system log file permission as described in the CIS benchmark guide and log syslog messages to a central log server. 18
13 Disable user-mountable removable media. 18
14 Verify file permissions on password files (passwd and shadow). 15
15 Set the sticky bit on world writeable directories. 15
16 Verify that there are no accounts with empty password fields in /etc/shadow and verify no legacy '+' entries exist in passwd, shadow, and group files. 15
17 Set account expiration parameters. 1, 2, 3, 12
18 Verify that no UID 0 accounts other than root exist. 19
19 No '.' or group/world-writable directory in root’s path. 19
20 No user dot files should be group/world writable (mode 744). 19

Networking

Number Recommendation/Description References
1 Appliance based firewall required. If a host based firewall option is available, consider using it in addition to the appliance. 13
2 (PCI/DSS) Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. 15
3 (PCI/DSS) Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)* 15
4 No open, non-authenticated, share/mounts may be enabled. 5, 18
5 (PCI/DSS) Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access. 15
6 Remote access software (SSH) must be disabled or restricted to specific IP addresses/subnets by default. It can be temporarily enabled on a case by case basis by authorized personnel. Only software that supports end to end encryption should be used for this purpose. 18

Hosting

Number Recommendation/Description References
1 Encrypted backups should be taken regularly, and all on/off site storage should be physically secure.
2 (PCI/DSS) – Clocks must be synchronized to two (2) internally hosted time servers (time.northwestern.edu). 15, *Note: As of 5/15/08, NU only has one recognized internal time server (time.northwestern.edu)
3 (PCI/DSS) Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)*

Ongoing

Number Recommendation/Description References
1 Mandatory audit log monitoring program or procedure by personnel of the department owning the logs or an approved subcontractor/vendor. 4
2 (PCI/DSS) Logs must be reviewed, or aggregated and then reviewed, daily. 15
3 (PCI/DSS) Logs must be available online (electronically) for three months, available on tape (or other removable media) for one year. 15
4 (PCI/DSS) Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release. 15
5 (PCI/DSS) Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update standards to address new vulnerability issues. 15
6 Encrypt sensitive data (Recommendations currently in development). 14
7 Defined process for approval, acceptable use, and removal of system privileges.
8 (PCI/DSS) Follow change control procedures for all system and software configuration changes. 15
9 (PCI/DSS) Identify all users with a unique user name with at least one authentication method (passphrase, token device and/or biometrics). 15
10 (PCI/DSS) Immediately revoke access for any terminated users. 15
11 Remove inactive user accounts at least every 90 days. 15
12 (PCI/DSS) Set first-time passwords to a unique value for each user and change immediately after the first use. 15

Policy Review Date:

December 2016

July 2012

Original Issue Date:

August 2006

Revision Dates:

December 2016

June 2008

July 2007

Additional Information:

Server Security Requirements & References - 08/31/2006 (PDF)

Resources

  1. Windows Server Security Guides

    Windows Security Baselines
    Windows Server 2012
    Windows Server 2008 R2
    Windows 10
    Windows 8
    Windows 7

  2. Unix security Guides
    http://www.cisecurity.org
  3. NIST Security Guides
    http://csrc.nist.gov/publications/PubsSPs.html
    http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
  4. MS article on file sharing ­ How to enable simple file sharing
    http://support.microsoft.com/?id=304040
    http://support.microsoft.com/?kbid=254219
  5. Removing the LM Hash
    http://support.microsoft.com/default.aspx?scid=kb;en-us;299656
  6. Port Reporter
    http://support.microsoft.com/?id=837243
  7. Microsoft Baseline Security Analyzer
    http://www.microsoft.com/technet/security/tools/mbsahome.mspx
  8. Symantec Anti-Virus
    http://www.it.northwestern.edu/software/sav
    http://www.symantec.com/index.htm
  9. CERT-CC: Before you connect a computer to the Internet
    http://www.cert.org/tech_tips/before_you_plug_in.html
  10. NIST Internet Time Servers
    http://tf.nist.gov/service/time-servers.html
  11. NU Firewall Strategy Guide
    http://www.it.northwestern.edu/bin/docs/firewall_strategies_wp.pdf
  12. Encryption
    Northwestern University encryption recommendation – In development
    http://www.pgp.com/
    http://www.pgpi.org/
    http://www.gnupg.org/
    http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx
    http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
    http://www.microsoft.com/windowsxp/evaluation/features/filesystem.mspx
  13. Payment Card Industry Data Security Standard (PCI/DSS)
    https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm
  14. Mac OS X Server Security Configuration for Version 10.4 or Later (Second Edition)http://images.apple.com/server/macosx/docs/Tiger_Security_Config_021507.pdf
  15. Common Criterion Configuration and Administration Guide: Setting up and administrating the Common Criteria configuration using Mac OS X or Mac OS X Server (1.0.1)
    http://images.apple.com/support/security/commoncriteria/CommonCriteriaAdminGuide.pdf
  16. Center for Internet Security (CIS)
    http://www.cisecurity.org
  17. FIPS PUB 200 - Minimum Security Requirements for Federal Information and Information Systems
    http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
Back to top